MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adhubllka


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385
SHA3-384 hash: 2ef24fdda218bdc76e5b3c1568046ab46a3b3c298d092d2df335b1ae558910f3cc6068c0d5a644cb9a0b22851fec4020
SHA1 hash: 61bf8f0da074f12e7a37d9f2900eff382af939f1
MD5 hash: 0e5bd98bcf1ef9bef39f19f41e1aabfb
humanhash: bravo-missouri-potato-tennis
File name:0e5bd98bcf1ef9bef39f19f41e1aabfb.exe
Download: download sample
Signature Adhubllka
Create hunting rule
File size:1'312'768 bytes
First seen:2021-12-05 08:19:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jjZRYoIKfOn9ThhqMm3lMx4D4Qmq0Sg3g1MLZhTtqNd/hZRkCv9/6XI8PjM7FBdi:/ZRYTV99NVcdfac
Threatray 51 similar samples on MalwareBazaar
TLSH T12C55EC9F1A18267BB25286FBC83F0635F1F2E725533A818B151C4C42D6B27967EAF1C4
Reporter abuse_ch
Tags:Adhubllka exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e5bd98bcf1ef9bef39f19f41e1aabfb.exe
Verdict:
Malicious activity
Analysis date:
2021-12-05 08:22:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb336a15-93f1-442f-bae4-921fe9400756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211443/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Unauthorized injection to a recently created process
Searching for synchronization primitives
Creating a file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Changing a file
Moving a recently created file
Modifying an executable file
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system executable file
Searching for the window
Forced shutdown of a system process
Forced shutdown of a browser
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ac763647ed217c01320e03/reports/5049f62b-08d3-4ae0-86c7-454b6d72b866/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4ef1e1a-ac60-41d7-b08c-7225e32511d3
Result
Threat name:
Cryptolocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901650
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Cryptolocker ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385/
Threat name:
ByteCode-MSIL.Ransomware.W3CryptoLocker
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 06:30:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e69af9159b216996061639ebb6ab0a2a4ef9e1cf02be2053c9f1b3aabecd9ef
Adhubllka
18f56e715b634b3c0fbe3d4369f0cf0363d3a5315a3ae23cc2efb98b0e9aab69
Adhubllka
21024fdf9c59a05dffce90c6b4b1f6ba3436c6d66c6b0c748d3790688d68fa54
Adhubllka
21766e51afd193a59b8b32f38d7f852022ee58348537be2fa7620773df237f77
Adhubllka
58be72276a78ced78ea15069fa062d2df265c15839935ce38ec664817b7cc07c
Adhubllka
8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
Adhubllka
a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4
Adhubllka
d0f5e14e8b6be5032261a2bd5b2941b90a51a0be18ec2ef35ad5b03994c3a8ca
Adhubllka
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
Adhubllka
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/211205-j8fdmacbgp/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
bbed28fb6df02eddea21d11e84af8698a1017c5c3bffaabf8abdaa22770b306a
MD5 hash:
2fe5b66d6a928e39a6f632f677f7a647
SHA1 hash:
c6ce37e74f1b560bbfcff1da8a9f16ebc6bc9f5e
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
de1f95f0ae71a3c0cc6b496c52e62ba21a95e442e70cab81bff6c9640e05861c
MD5 hash:
c39c2cd90fb52df1330213a012ae57c6
SHA1 hash:
120d25d397d12d10b51ffb2578d7b8f202cb66d6
Detections:
win_adhubllka_a0
Create hunting rule
win_adhubllka_auto
Create hunting rule
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
d9d6f3d221576ded096d71f8a074d13382dca1b324722515cf451ff89804fa78
MD5 hash:
3dd47ca460ff6e2a773c0fa31bec5b2e
SHA1 hash:
f99867de3c974d18a2d6e6f13cd916d9a85355a6
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
cf125d02a9579232b47b3f0eceb5d6f350ec22aa0e3d806590629b2261c1d190
MD5 hash:
cbafeb4bd25428747ec3633fd7652a7b
SHA1 hash:
5b7fc1ec27664dcffb97b16f6ad98a4eea963b7f
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
c3ba5c142793e5ef6e4f98c3b5db2d84bfb619adc349775382124964e54b8235
MD5 hash:
30121a4aee859f36a425a32173d525a5
SHA1 hash:
5a122bc8d09e635796e1b2214cdbbc9d638a690b
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
53c0f65fdae6324cd631947c84e079b7645e913c24c28716b85b3e824795f35f
MD5 hash:
3b3391f5ff466a22783ed93ea30fd5e8
SHA1 hash:
39a0e0e4a8df693b4bda62ab70014700e66bb1ca
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
d47c6bb8be0f44110ef2ec78b4b601e3bce6223ab5ae3bb7638277f39950fe26
MD5 hash:
d61ec7600c6f8382c81c04a5570edf4c
SHA1 hash:
0133d82a644ee6246561cd1c8ee7cf5369585cc3
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
SH256 hash:
31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385
MD5 hash:
0e5bd98bcf1ef9bef39f19f41e1aabfb
SHA1 hash:
61bf8f0da074f12e7a37d9f2900eff382af939f1
Link:
https://www.unpac.me/results/26f781a7-3db7-42ad-a285-e1e6c36ffbc4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/31f84b5a677f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_adhubllka_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.adhubllka.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adhubllka

Executable exe 31f84b5a677f3be143c04055bf0d6dc79433332d98e7fd89c68429c2192ac385

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/211443/
  
URLhaus
https://urlhaus.abuse.ch/url/1709500/
  
Delivery method
Distributed via web download

Comments